Why Firms Should Audit Strategic Risk
Many audit departments have underinvested in or ignored strategic risk to their company, instead focusing on smaller financial and compliance risks. The strategic decisions made during this stuttering economic recovery, and the execution of those decisions, will determine a company's successes or struggles for many years to come. Corporate Executive Board research shows that to ensure success, firms must ask their internal audit functions to expand their scope and start to audit strategic risk.
During the recession, audit functions focused on their comfort zone: providing assurance on financial and compliance risks. The best audit groups are now moving in the opposite direction and see their ability to provide assurance on strategic and key operational risks as more important now than ever before. They are working hard to provide risk-based auditing that truly reflects the realities of the risk environment.
Why Focus on Nontraditional Assurance Work
CEB analyzed what causes a steep drop in firms' market capitalization and found that 68% of risk events are strategic, and responsible for destroying more than 50% of firms' market capitalization. Another 13% of these events are operational risks. These disruptive risk events are directly attributable to the strategic management activities of an organization, but unfortunately most audit departments struggle to provide assurance over these activities.
In fact, the majority of audit departments spend as much as 80% of their time providing assurance on traditional areas such as financial and compliance risks, even though these risks make up only 18% of the drivers of decline. This means that many audit departments have underinvested in, if not ignored, a significant set of risks to the organization.
As a result of Sarbanes-Oxley, Internal Audit has rightly paid attention to the traditional areas of assurance; but, for the audit plan to truly reflect the realities of the risk environment, the focus must now shift in the other direction. Traditional audit work should not be abandoned entirely. Instead, audit departments need to find a better way to prioritize and determine the appropriate level of traditional assurance while expanding work in the nontraditional areas.
Move from Value Preservation to Value Creation
The first step to focusing more on nontraditional assurance areas is to define which management activities and processes fit within this realm. Audit departments are confident in providing assurance on financial- and compliance-related controls, management's value preservation work. Yet they often fail to provide assurance on strategy creation and execution, management's value creation work.
Audit functions should first align all of their work to the key strategic objectives of the company and, additionally, seek to provide assurance on the strategy itself. By doing so, audit departments will not only help their companies avoid and prepare for major strategic risks but will also help their firms achieve important goals.
Providing this new type of assurance will not be easy for most audit functions. Current audit practices do not support nontraditional assurance work. Audit planning tools fail to capture the breadth of possible activities and fieldwork, and reporting tools are too rigid to adjust to the varied needs in nontraditional work. In addition, audit staff will have to expand their capabilities and experience to include more critical thinking skills and business knowledge. Given these necessary changes in fundamental audit practices, the transition to a greater focus on company objectives and strategy will take time. However, audit departments must begin this transformation now to achieve its full potential and avoid their firm losing confidence in the value they provide to the company's success.